Client Common Command Setting Items
Setting Item List
The setting items for the common settings with the client commands are below.
System Operating Environment Settings, Transmission Method Related
| Description | Configuration Name |
|---|---|
| Protocol version (fixed to 2) | ProtocolVersion |
| WSS options | WSSOptions |
| WSS TLS 1.3 Cipher Suites | WSSCipherSuites |
| WSS TLS 1.2 or earlier Cipher Suites | WSSCipherList |
Communication Data Compression Function
| Description | Configuration Name |
|---|---|
| Compress level | CompressLevel |
| Header compression | HeaderCompress |
| Content compression | ContentCompress |
Data Flow Control, Bandwidth Control
| Description | Configuration Name |
|---|---|
| Max receiving rate (per session) | MaxReceiveRate |
| Max sending rate (per session) | MaxSendRate |
| Max receive rate (per connection) | MaxConnectionReceiveRate |
| Max send rate (per connection) | MaxConnectionSendRate |
Data Flow Control, File Lock Function
| Description | Configuration Name |
|---|---|
| Use file lock | FileLock |
| Number of trials to lock files | FileLockTrials |
| The trial interval (in seconds) | FileLockTrialInterval |
Data Flow Control, Data Buffer Setting
| Description | Configuration Name |
|---|---|
| Maximum buffer allocation size | MaxBufferSize |
| HpFP transport buffer size extension | UDPTransportExtensionBufferSize |
| TCP sending buffer | TCPTransportSocketSendBuffer |
Data Flow Control, Transfer File Size Control
| Description | Configuration Name |
|---|---|
| Maximum receiving file size | MaxReceiveFileSize |
| Maximum sending file size | MaxSendFileSize |
Data Flow Control, Message Data Size Control
| Description | Configuration Name |
|---|---|
| Initial header block size | InitHeaderBlockSize |
| Initial content block size | InitContentBlockSize |
| Maximum header block size | MaxHeaderBlockSize |
| Maximum content block size | MaxContentBlockSize |
| Max file entry request | MaxRequestFileEntryAtOnce |
Code Transformation, Communication Encoding Negotiation
| Description | Configuration Name |
|---|---|
| Transport character encoding | TransportCharEncoding |
Code Transformation, Host Character Encoding
| Description | Configuration Name |
|---|---|
| Host character encoding | HostEncoding |
Authentication
| Description | Configuration Name |
|---|---|
| LPA (Local Password Authentication) authentication | LocalPasswordAuthentication |
| PAM (Pluggable Authenticaton Module) authentication | PAMAuthentication |
| Public key authentication | PubkeyAuthentication |
| Windows authentication | WinLogonUserAuthentication |
| Number of prompts to enter password | NumberOfPasswordPrompts |
| Specify directory for searching private keys (RSA auth) | IdentitySearchDir |
| Specify file for finding a private key (RSA auth) | IdentityFile |
| Configure priority of public key authentication | PubkeyAuthenticationPrior |
Encryption
| Description | Configuration Name |
|---|---|
| Encryption method for message communication | AcceptableCryptMethod |
| Digest method for validation of message and file data | AcceptableDigestMethod |
| Disable MAC (Message Authentication Code) or not | DisableDataIntegrityChecking |
| Acceptance of rejection for disabling MAC | AcceptDataIntegrityCheckingOnRejection |
Security Negotiation by Encryption Communications
| Description | Configuration Name |
|---|---|
| Set requirement of the server certificate security to servers | RequireServerCertificateSecurity |
| Disable fallback into communication without the security or not | RejectFallbackServerCertificateSecurity |
| Ignore the common name of the server certificate in its validation | IgnoreCertificateCNInvalid |
| Ignore fields of NotBefore and NotAfter of the certificate in its validation | IgnoreCertificateDateInvalid |
| Ignore validation of CA certificate and intermediates of the certificate | IgnoreUnknownCA |
| Ignore validation of CRL for the certificate | IgnoreRevocation |
| Same to IgnoreCertificateCNInvalid on Web Socket SSL/TLS | WSSIgnoreCertificateCNInvalid |
| Same to IgnoreCertificateDateInvalid on Web Socket SSL/TLS | WSSIgnoreCertificateDateInvalid |
| Same to IgnoreUnknownCA on Web Socket SSL/TLS | WSSIgnoreUnknownCA |
| Same to IgnoreRevocation on Web Socket SSL/TLS (Reserved) | WSSIgnoreRevocation |
| File path where CA certificates and intermediates are saved | CACertificateFile |
| Directory path where files including CA certificates and intermediates are saved (Reserved) | CACertificatePath |
| File path where CRL are saved | CARevocationFile |
| Directory path where files including CRL are saved (Reserved) | CARevocationPath |
| Same to CACertificateFile on Web Socket SSL/TLS | WSSCACertificateFile |
| Enable OCSP (Online Certificate Status Protocol) or not | OCSPRevocationEnabled |
| Server host key's acceptance policy configuration | StrictHostKeyChecking |
Various Monitoring, Timeout Control
| Description | Configuration Name |
|---|---|
| Set transport timeout | TransportTimeout |
Performance Evaluation
| Description | Configuration Name |
|---|---|
| How to make pre-allocation in disk benchmark | DiskBenchmarkPreAllocation |
| A unit size for the pre-allocation | DiskBenchmarkPreAllocationSize |
| Direct I/O benchmark, alignment size specification | DiskBenchmarkDirectAlignmentSize |
| Async I/O benchmark, NO_WAIT(reserved) | DiskBenchmarkAsyncNoWait |
| Async I/O benchmark, maximum number of I/O events at once | DiskBenchmarkAsyncMaxEvents |
| Async I/O benchmark, maximum number of taking event results at once | DiskBenchmarkAsyncMaxGetEvents |
| Async I/O benchmark, a size of pool holding request buffers | DiskBenchmarkAsyncRequestPoolSize |
| File size on additional disk benchmarks | DeepDiskBenchmarkFileSize |
| Required free space on the benchmarks | DeepDiskBenchmarkFreeSpaceRequired |
| A set of block sizes on the benchmarks | DeepDiskBenchmarkBlockSizes |
Log Management
| Description | Configuration Name |
|---|---|
| Application diagnostic log configuration (ApplicationLog as old one) | DiagnosticLog |
| Application diagnostic log level (ApplicationLogLevel as old one) | DiagnosticLogLevel |
| Application statistics configuration | ApplicationStatLog |
| Transport statistics configuration | TransportStatLog |
| Set to output a security detail on application statistics | ApplicationStatLogSecurityEx |
System Operating Environment Settings, CPU Thread Control
| Description | Configuration Name |
|---|---|
| Limit number of threads to use (Linux) | MaxConcurrentThread |
System Operating Environment Settings, Transmission Method Related
WSSOptions
=========================================================================
Supported OS : Linux / Windows / Mac
Format : WSSOptions <opt_value>
-------------------------------------------------------------------------
opt_value
Format : ( NONE | <openssl_opt_values> )
Default : NONE
Range of Values : list of SSL/TLS option names defined by OpenSSL
=========================================================================
This options specifies Cipher Suites options of OpenSSL that will be used on SSL/TLS communication. Please use names described in the following URL.
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_options.html
SSL_CTX_set_options
--
Example :
WSSOptions SSL_OP_NO_COMPRESSION:SSL_OP_NO_SSLv3
--
WSSCipherSuites
=========================================================================
Supported OS : Linux / Windows / Mac
Format : WSSCipherSuites <cs_value>
-------------------------------------------------------------------------
cs_value
Format : ( NONE | <openssl_cipher_suite_values> )
Default : NONE
Range of Values : list of Cipher Suites parameters defined by OpenSSL
=========================================================================
This options specifie Cipher Suites parameters of OpenSSL that will be used on TLS v1.3 communication. Please use names described in the following URL.
https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
ciphers
Ciphte Suite names defined by "TLS v1.3 cipher suites"
--
Example :
WSSCipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
--
WSSCipherList
=========================================================================
Supported OS : Linux / Windows / Mac
Format : WSSCipherList <clist_value>
-------------------------------------------------------------------------
clist_value
Format : ( NONE | <openssl_cipher_list> )
Default : NONE
Range of Values : Cipher List parameters defined by OpenSSL
=========================================================================
This option specifies Cipher List parameters of OpenSSL that will be used on SSL/TLS communication under TLS 1.2. Please use names described in the following URL.
https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
ciphers
Cipher List in a format defined by "CIPHER LIST FORMAT2 and "CIPHER STRINGS".
--
Example :
WSSCipherList RC4-MD5:RC4-SHA:AES128-SHA:AES256-SHA:HIGH:!DSS:!aNULL
--
Communication Data Compression Function
CompressLevel
=========================================================================
Supported OS : Linux / Windows / Mac
Format : CompressLevel <compress-level>
-------------------------------------------------------------------------
compress-level
Default : -1
Range of Values : -1, 0 - 9
=========================================================================
The compression level of the transmission messages is set.
--
Example :
CompressLevel 9
--
When -1 is set, the compression level 6 is chosen.
When 0 is set, no compression will be performed.
HeaderCompress
=========================================================================
Supported OS : Linux / Windows / Mac
Format : HeaderCompress <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================
The compression of the header information such as the file request is configured.
--
Example :
HeaderCompress no
--
ContentCompress
=========================================================================
Supported OS : Linux / Windows / Mac
Format : ContentCompress <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================
The compression of the data of files, data blocks created from the files, is configured.
--
Example :
ContentCompress no
--
Data Flow Control, Bandwidth Control
MaxReceiveRate
=========================================================================
Supported OS : Linux / Windows / Mac
Format : MaxReceiveRate <bandwidth>
-------------------------------------------------------------------------
bandwidth
Default : 100Gbit
Range of Values : unsigned double-length integer
=========================================================================
The shaping of receiving bandwidth on the transport by each session is set.
--
Example :
MaxReceiveRate 1Gbit
--
MaxSendRate
=========================================================================
Supported OS : Linux / Windows / Mac
Format : MaxSendRate <bandwidth>
-------------------------------------------------------------------------
bandwidth
Default : 100Gbit
Range of Values : unsigned double-length integer
=========================================================================
The shaping of sending bandwidth on the transport by each session is set.
--
Example :
MaxSendRate 1Gbit
--
MaxConnectionReceiveRate
=========================================================================
Supported OS : Linux / Windows / Mac
Format : MaxConnectionReceiveRate <bandwidth>
-------------------------------------------------------------------------
bandwidth
Default : 100Gbit
Range of Values : unsigned double-length integer
=========================================================================
The shaping of receiving bandwidth on the transport by each connection is set.
--
Example:
MaxConnectionReceiveRate 1Gbit
--
MaxConnectionSendRate
=========================================================================
Supported OS : Linux / Windows / Mac
Format : MaxConnectionSendRate <bandwidth>
-------------------------------------------------------------------------
bandwidth
Default : 100Gbit
Range of Values : unsigned double-length integer
=========================================================================
The shaping of sending bandwidth on the transport by each connection is set.
--
Example:
MaxConnectionSendRate 1Gbit
--
Data Flow Control, File Lock Function
FileLock
Refer to the hcpd configurations.
FileLockTrials
Refer to the hcpd configurations.
FileLockTrialInterval
Refer to the hcpd configurations.
Data Flow Control, Data Buffer Setting
MaxBufferSize
=========================================================================
Supported OS : Linux / Windows
Format : MaxBufferSize <max-buf-size>
-------------------------------------------------------------------------
max-buf-size
Default : 1GB
Range of Values : unsigned double-length integer
=========================================================================
The maximum memory buffer size allowed to process data is set.
--
Example :
MaxBufferSize 1GB
--
UDPTransportExtensionBufferSize
=========================================================================
Supported OS : Linux / Windows / Mac
Format : UDPTransportExtensionBufferSize <ext-buf-size>
-------------------------------------------------------------------------
ext-buf-size
Default : 2GB
Range of Values : unsigned double-length integer (byte)
=========================================================================
The extended buffer size for HpFP (UDP) transport is set.
In HpFP sessions, the buffer size for transmission can be extended to the size specified in “hpfp_sndbuf” or “hpfp_rcvbuf” of “UDPListenAddress”, adjusting to delays and packet-losses or an increase of traffic. The total extended buffer is controlled to be up to the specified value.
When “0”, the total buffer size is not controlled.
The default buffer size (before extended) is 1MB.
--
Example :
UDPTransportExtensionBufferSize 4GB
--
TCPTransportSocketSendBuffer
=========================================================================
Supported OS : Linux / Windows / Mac
Format : TCPTransportSocketSendBuffer <snd-buf-size>
-------------------------------------------------------------------------
snd-buf-size
Format : <decimal_number>[[(T|G|M|K)]B]
Default : 0
Range of Values : unsigned double-length integer (byte)
=========================================================================
Specifies a TCP sending buffer size in bytes. 0 indicates no specification of this option.
You need this option to make a performance tuning of TCP on 100G environment. No need to use in ordinary cases.
--
Example :
TCPTransportSocketSendBuffer 128MB
--
Data Flow Control, Transfer File Size Control
MaxReceiveFileSize
=========================================================================
Supported OS : Linux / Windows / Mac
Format : MaxReceiveFileSize <file-size>
-------------------------------------------------------------------------
file-size
Default : 8EB - 1B (Unlimited. The maximum value of signed double-length integer)
Range of Values : signed double-length integer
=========================================================================
The maximum file size allowed to receive is set.
--
Example :
MaxReceiveFileSize 1GB
--
MaxSendFileSize
=========================================================================
Supported OS : Linux / Windows / Mac
Format : MaxSendFileSize <file-size>
-------------------------------------------------------------------------
file-size
Default : 8EB - 1B (Unlimited. The maximum value of signed double-length integer)
Range of Values : signed double-length integer
=========================================================================
The maximum file size allowed to send is set.
--
Example :
MaxSendFileSize 1GB
--
Data Flow Control, Message Data Size Control
InitHeaderBlockSize
=========================================================================
Supported OS : Linux / Windows / Mac
Format : InitHeaderBlockSize <block-size>
-------------------------------------------------------------------------
block-size
Default : 50KB
Range of Values : unsigned double-length integer
=========================================================================
The initial header block size is set.
--
Example :
InitHeaderBlockSize 10KB
--
The maximum size allowed to create the header block including several messages such as file requests is set. This option is supposed to apply right after starting the communication.
InitContentBlockSize
=========================================================================
Supported OS : Linux / Windows / Mac
Format : InitContentBlockSize <block-size>
-------------------------------------------------------------------------
block-size
Default : 1MB
Range of Values : unsigned double-length integer
=========================================================================
The initial content block size is set.
--
Example :
InitContentBlockSize 2MB
--
The maximum size allowed to create the content block including several data of files is set. This option is supposed to apply right after starting the communication.
MaxHeaderBlockSize
=========================================================================
Supported OS : Linux / Windows / Mac
Format : MaxHeaderBlockSize <block-size>
-------------------------------------------------------------------------
block-size
Default : 50KB
Range of Values : unsigned double-length integer
=========================================================================
The maximum extension size of the header block is set.
--
Example :
MaxHeaderBlockSize 100KB
--
When the transmission starts, the changeable header block size is increased or decreased by sensing the consumed bandwidth. This option gives the max value of the header block size to increase.
MaxContentBlockSize
=========================================================================
Supported OS : Linux / Windows / Mac
Format : MaxContentBlockSize <block-size>
-------------------------------------------------------------------------
block-size
Default : 1MB
Range of Values : unsigned double-length integer
=========================================================================
The maximum extension size of the content block is set.
When the performance hits a peak in the environment over 10Gbps and others, changing this value along with “InitContentBlockSize” may improve performance.
--
Example :
MaxContentBlockSize 4MB
--
When the transmission starts, the changeable content block size is increased or decreased by sensing the consumed bandwidth. This option gives the max value of the content block size to increase.
MaxRequestFileEntryAtOnce
=========================================================================
Supported OS : Linux / Windows / Mac
Format : MaxRequestFileEntryAtOnce <max-file-req-at-once>
-------------------------------------------------------------------------
max-file-req-at-once
Default : 50
Range of Values : signed integer
=========================================================================
The maximum number allowed to send the file requests simultaneously is set.
--
Example :
MaxRequestFileEntryAtOnce 1000
--
Code Transformation, Communication Encoding Negotiation
TransportCharEncoding
=========================================================================
Supported OS : Linux / Windows / Mac
Format : TransportCharEncoding <encodings>
-------------------------------------------------------------------------
encodings
Format : <encoding>[ ...]
Default : UTF8
-------------------------------------------------------------------------
encoding
Range of Values : US-ASCII, UTF8, UTF16, UTF32
=========================================================================
The string encoding method used in the transport is configured.
--
Example :
TransportCharEncoding UTF8 UTF16 US-ASCII
--
It is used to exchange strings with the server, such as file path. The encoding is chosen to match the server configuration.
Code Transformation, Host Character Encoding
HostEncoding
=========================================================================
Supported OS : Linux / Windows / Mac
Format : HostEncoding <encoding>
-------------------------------------------------------------------------
encoding
Default :
UTF-8 (Linux / Mac)
CP932 (Windows)
Range of Values : encoding name supported by system and encoding conversion library (platform-dependent).
=========================================================================
The string encoding for the host is configured.
--
Example :
HostEncoding EUC-JP
--
Authentication
LocalPasswordAuthentication
=========================================================================
Supported OS : Linux / Windows / Mac
Format : LocalPasswordAuthentication <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================
LPA authentication is set. When “no”, even though the server requests the authentication, LPA authentication is not executed.
--
Example :
LocalPasswordAuthentication no
--
PAMAuthentication
=========================================================================
Supported OS : Linux / Windows / Mac
Format : PAMAuthentication <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================
PAM authentication is set. When “no”, even though the server requests the authentication, PAM authentication is not executed.
--
Example :
PAMAuthentication no
--
PubkeyAuthentication
=========================================================================
Supported OS : Linux / Windows / Mac
Format : PubkeyAuthentication <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================
Public key authentication is set. When “no”, even though the server requests the authentication, It is not executed.
--
Example :
PubkeyAuthentication no
--
WinLogonUserAuthentication
=========================================================================
Supported OS : Linux / Windows / Mac
Format : WinLogonUserAuthentication <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================
Windows authentication is set. When “no”, even though the server requests the authentication, Windows authentication is not executed.
--
Example :
WinLogonUserAuthentication no
--
NumberOfPasswordPrompts
=========================================================================
Supported OS : Linux / Windows / Mac
Format : NumberOfPasswordPrompts <num-prompts>
-------------------------------------------------------------------------
num-prompts
Default : 3
Range of Values : signed integer
=========================================================================
This option specifies the nummber of prompts to enter a password (passphrase) each authentication when performing password authentications of PAM, WLU or LPA or decryption of a private key. When all tries are not successful up to the number of prompts, then the next one goes on.
--
Example:
NumberOfPasswordPrompts 2
--
IdentitySearchDir
=========================================================================
Supported OS : Linux / Windows / Mac
Format : IdentitySearchDir <flag-available>
-------------------------------------------------------------------------
flag-available
Default :
/etc/hcp/keys (Linux)
C:/ProgramData/Clealink/HCP Tools/keys (Windows)
/usr/local/etc/hcp/keys (Mac)
Range of Values : path string of file system
=========================================================================
The search directory is configured in order to identify the user private key for public key authentication.
--
Example :
IdentitySearchDir /etc/hcp/keys
--
The following file name in the specified directory is searched as a file which stores the private key.
<user name>.key
This username is the local computer username, not the username of the destination server (that is specified by -u option or used in the login prompt.) In the case that the local computer username is different from the server username, make sure to set the local username.
On the Linux platform, some files having access permissions on its Group and Other will be skipped with displayed warmings.
When a file with the same name as the user name and the following extensions exists in the same directory as the one of the private key, the file is regarded as the client certificate and is aduthenticated.
- crt
- cer
This software supports the following formats of private keys.
- PEM
- OpenSSH v1
- PuTTY v2/v3
And it supports PEM formatted certificates.
About key algorithms, the following alogrithms are supportred.
- RSA (1024bits - 4096bits)
- ECDSA nistp256, nistp384, nistp521
- Ed25519
When key agents like ssh-agent and pageant are working on client hosts, public key authentication without passphrases will be performed for a key from keys that are detected by this configuration and in the following format.
- OpenSSH v1 formatted private key
- PuTTY v2/v3 formatted private key
Clients use ssh-agent on Linux/macOS and pageant on Windows (ssh-agent is not supported on Windows).
The old name of 'PrivateKeySearchDir' is available.
IdentityFile
=========================================================================
Supported OS : Linux / Windows / Mac
Format : IdentityFile <file-path>
-------------------------------------------------------------------------
file-path
Default :
(Linux / Mac)
~/.ssh/id_rsa ~/.ssh/id_ecdsa ~/.ssh/id_ed25519
~/.hcp/id_rsa ~/.hcp/id_ecdsa ~/.hcp/id_ed25519
(Windows)
~/_hcp/id_rsa ~/_hcp/id_ecdsa ~/_hcp/id_ed25519
Range of Values : the single file path which includes the user directory with a tilde (~)
=========================================================================
The path of the file with the key in the user home directory is configured in order to identify the user private key for RSA authentication.
--
Example :
IdentityFile ~/.hcp/id_rsa
--
On the Linux platform, some files having access permissions on its Group and Other will be skipped with displayed warmings.
When the specified file and the same name file with the following suffixes both exist, it is regarded as the client certificate and authenticated.
- crt
- cer
This software supports the following formats of private keys.
- PEM
- OpenSSH v1
- PuTTY v2/v3
And it supports PEM formatted certificates.
About key algorithms, the following alogrithms are supportred.
- RSA (1024bits - 4096bits)
- ECDSA nistp256, nistp384, nistp521
- Ed25519
TOKENS of %%, %d, %i, %r and %u is available defined under the following ssh_config.
https://man7.org/linux/man-pages/man5/ssh_config.5.html
TOKENS - IdentityFile
Multiple entries are available with multiple configuration entries in specifying a single path each entry.
IdentityFile ~/.hcp/id_mykey1
IdentityFile ~/.hcp/id_mykey2
IdentityFile ~/.hcp/id_mykey3
You cannot multiple paths in the single configuration entry.
When key agents like ssh-agent and pageant are working on client hosts, public key authentication without passphrases will be performed for a key from keys that are detected by this configuration and in the following format.
- OpenSSH v1 formatted private key
- PuTTY v2/v3 formatted private key
Clients use ssh-agent on Linux/macOS and pageant on Windows (ssh-agent is not supported on Windows).
The old name of 'PrivateKeyFile' is available.
PubkeyAuthenticationPrior
=========================================================================
Supported OS : Linux / Windows / Mac
Format : PubkeyAuthenticationPrior <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================
Whether public key authentication takes priority is set.
When “yes”, first, it searchs and loads the private key. In the case that it is encrypted, the password to decrypt it is requesed (not supported on the Windows versions). The first successfully loaded RSA key is supposed to be authenticated (the others are ignored). When the private key load is not successful, Password authentication is tried.
When “no”, conventional authentication takes place. In the case of missing password, inputting the password is requested, and all authentication methods are tried.
--
Example :
PubkeyAuthenticationPrior no
--
Encryption
AcceptableCryptMethod
=========================================================================
Supported OS : Linux / Windows / Mac
Format : AcceptableCryptMethod <method-names>
-------------------------------------------------------------------------
method-names
Format : <method-name>[ ...]
Default : AES256/GCM AES256/CTR/VMAC AES256/CBC AES128/CBC
-------------------------------------------------------------------------
method-name
Range of Values : PLAIN, AES128/CBC, AES192/CBC, AES256/CBC, AES128/CBC/HMAC,
AES192/CBC/HMAC, AES256/CBC/HMAC, AES128/CBC/VMAC, AES192/CBC/VMAC,
AES256/CBC/VMAC, AES128/CBC/VMAC64, AES192/CBC/VMAC64, AES256/CBC/VMAC64,
AES128/CTR/HMAC, AES192/CTR/HMAC, AES256/CTR/HMAC, AES128/CTR/VMAC,
AES192/CTR/VMAC, AES256/CTR/VMAC, AES128/CTR/VMAC64, AES192/CTR/VMAC64,
AES256/CTR/VMAC64, AES128/GCM, AES192/GCM, AES256/GCM
=========================================================================
The cryptographic algorithm is configured.
When specified AES128/CBC, it is interpreted as AES128/CBC/HMAC (They are the same algorithm. AES192/CBC and AES256/CBC are as well).
When communicating with a host with versions that do not support the new algorithms, such as CTR/GCM mode and VMAC mode, these new algorithms that don’t match the other host are ignored in the connection negotiation. However, still, the communications don’t go to errors.
CTR/VMAC or GCM are recommended on network over 1Gbps, e.g. AES256/GCM, AES256/CTR/VMAC. Encrypted communication using CBC or HMAC, e.g. AES256/CTR/HMAC, AES256/CBC/HMAC, might make a bottle neck in performance on network over 1Gbps generally. VMAC64 checks data integrity with 64 bit, less than 128 bit in VMAC mode, which leads to better performance but less secured data integrity.
--
Example :
AcceptableCryptMethod AES256/CBC PLAIN
--
It is used to encrypt the messages communicated with the server.The algorithm is chosen to match the server configuration.
AcceptableDigestMethod
=========================================================================
Supported OS : Linux / Windows / Mac
Format : AcceptableDigestMethod <method-names>
-------------------------------------------------------------------------
method-names
Format : <method-name>[ ...]
Default : XXH3 SHA256 SHA160
-------------------------------------------------------------------------
method-name
Range of Values : NONE, SHA160, SHA224, SHA256, SHA384, SHA512, MD5, MM32, MM128,
XXH3, XXH128, XXH64, XXH32
=========================================================================
The digest algorithm for data communication and verification of transferred files is configured.
--
Example :
AcceptableDigestMethod SHA256 SHA160 NONE
--
It is used to verify the messages, files, and data blocks communicated with the server.The algorithm is chosen to match the server configuration.
In the case of encryption communications using HMAC like AES256/CBC/HMAC, the algorithms (MD5, MM32, MM128, XXH3, XXH128, XXH64, XXH32) other than the security digest algorithms are regarded as nothing configured.
MM32 and MM128 are discarded (, but its definition is kept for configuration compatibility). Please use XXH3 instead.
DisableDataIntegrityChecking
=========================================================================
Supported OS : Linux / Windows / Mac
Format : DisableDataIntegrityChecking <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================
This setting specifies whether to request the server to ignore data integrity checking by MAC in encrypted communications with the server.
When “yes”, it allows to transmit encrypted communication without data integrity checking as long as the server permits it. In the case that the server denies, it follows the setting of “AcceptDataIntegrityCheckingOnRejection” below.
In normal use, “no” (default) is recommended. Note that data integrity checking is not executed in the setting “yes”, which is supposed to be set only to improve the encrypted communication performance.
--
Example :
DisableDataIntegrityChecking yes
--
AcceptDataIntegrityCheckingOnRejection
=========================================================================
Supported OS : Linux / Windows / Mac
Format : AcceptDataIntegrityCheckingOnRejection <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================
This setting specifies whether to continue transmitting when the server denies the request to ignore data integrity checking by MAC in encrypted communications.
When “yes”, it continues transmitting with data integrity checking, while in “no”, it stops transmitting and quit the application.
--
Example :
AcceptDataIntegrityCheckingOnRejection no
--
Security Negotiation by Encryption Communications
RequireServerCertificateSecurity
=========================================================================
Supported OS : Linux / Windows / Mac
Format : RequireServerCertificateSecurity <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================
Whether the security communication by the server certificate security function is required or not is set. When “yes”, but this function isn’t enabled on the host, the connection is denied.
--
Example :
RequireServerCertificateSecurity no
--
RejectFallbackServerCertificateSecurity
=========================================================================
Supported OS : Linux / Windows / Mac
Format : RejectFallbackServerCertificateSecurity <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================
When the security communication by the server certificate security function can not be established, the fallback to the unsafe communication is rejected.
--
Example :
RejectFallbackServerCertificateSecurity no
--
IgnoreCertificateCNInvalid
=========================================================================
Supported OS : Linux / Windows / Mac
Format : IgnoreCertificateCNInvalid <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================
It is set to ignore identifying the server certificate common name. When “yes”, identification of the server certificate common name with an IP address or a FQDN of the server is omitted.
--
Example :
IgnoreCertificateCNInvalid yes
--
IgnoreCertificateDateInvalid
=========================================================================
Supported OS : Linux / Windows / Mac
Format : IgnoreCertificateDateInvalid <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================
It is set to ignore the check of the server certificate expiration. When “yes”, the expiration of the server certificate is not checked.
--
Example :
IgnoreCertificateDateInvalid yes
--
IgnoreUnknownCA
=========================================================================
Supported OS : Linux / Windows / Mac
Format : IgnoreUnknownCA <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================
It is set to ignore the check of CA certificates. When “yes”, the intermediate certificate and the root certificate of the server certificate are not checked.
--
Example :
IgnoreUnknownCA yes
--
IgnoreRevocation
=========================================================================
Supported OS : Linux / Windows / Mac
Format : IgnoreRevocation <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================
It is set to ignore the certificate revocation check. When “yes”, the certificate revocation is not checked.
--
Example :
IgnoreRevocation yes
--
WSSIgnoreCertificateCNInvalid
=========================================================================
Supported OS : Linux / Windows / Mac
Format : WSSIgnoreCertificateCNInvalid <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================
This option disables validation for common names of server certificates that are sent to the client on communication via WebSocket with SSL/TLS. When yes is set, the WebSocket function dose not make validation to confirm if the common name on the certificate received is identical to an FQDN or IP address specified as the server.
--
Example :
WSSIgnoreCertificateCNInvalid yes
--
WSSIgnoreCertificateDateInvalid
=========================================================================
Supported OS : Linux / Windows / Mac
Format : WSSIgnoreCertificateDateInvalid <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================
This option disables validation for expires of server certificates that are sent to the client on communication via WebSocket with SSL/TLS. When yes is set, the WebSocket function dose not make validation to confirm if NotBefore and NotAfter on the certificate received meet the current date and time.
--
Example :
WSSIgnoreCertificateDateInvalid yes
--
WSSIgnoreUnknownCA
=========================================================================
Supported OS : Linux / Windows / Mac
Format : WSSIgnoreUnknownCA <flag-available>
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
=========================================================================
This options disables validation for CA certificates bound to server certificate that are sent to the client on communication via WebSocket with SSL/TLS. When yes is set, the WebSocket function dose not make validation to confirm if CA root certificate and itermediate certificates bound to the server certificates are available.
--
Example :
WSSIgnoreUnknownCA yes
--
CACertificateFile
=========================================================================
Supported OS : Linux / Windows / Mac
Format : CACertificateFile <file-path>
-------------------------------------------------------------------------
file-path
Default :
/etc/hcp/cacert.pem (Linux)
C:/ProgramData/Clealink/HCP Tools/cacert.pem (Windows)
/usr/local/etc/hcp/cacert.pem (Mac)
Range of Values : path string of file system
=========================================================================
The file path of the CA certificate for the server certificate is specified.
--
Example :
CACertificateFile /etc/hcp/cacert.pem
--
The PEM format certificates are supported.
CACertificatePath (reserved)
=========================================================================
Supported OS : Linux / Windows / Mac
Format : CACertificatePath <dir-path>
-------------------------------------------------------------------------
dir-path
Default : yes
/etc/ssl (Linux)
C:/ProgramData/Clealink/HCP Tools/ssl (Windows)
/usr/local/etc/ssl (Mac)
Range of Values : path string of file system
=========================================================================
The directory path of the CA certificate for the server certificate is specified.
--
Example :
CACertificatePath /etc/ssl
--
The PEM format certificates are supported.
CARevocationFile
=========================================================================
Supported OS : Linux / Windows / Mac
Format : CARevocationFile <file-path>
-------------------------------------------------------------------------
file-path
Default : yes
/etc/hcp/crl.pem (Linux)
C:/ProgramData/Clealink/HCP Tools/crl.pem (Windows)
/usr/local/etc/hcp/crl.pem (Mac)
Range of Values : path string of file system
=========================================================================
The file where the certificate revocation list (CRL) is stored for the server certificate is specified.
--
Example :
CARevocationFile /etc/hcp/crl.pem
--
The PEM format certificate revocation list (CRL) is supported.
CARevocationPath (reserved)
=========================================================================
Supported OS : Linux / Windows / Mac
Format : CARevocationPath <dir-path>
-------------------------------------------------------------------------
dir-path
Default : yes
/etc/ssl (Linux)
C:/ProgramData/Clealink/HCP Tools/ssl (Windows)
/usr/local/etc/ssl (Mac)
Range of Values : path string of file system
=========================================================================
The directory where the certificate revocation list (CRL) is stored for the server certificate is specified.
--
Example :
CARevocationPath /etc/ssl
--
The PEM format certificate revocation list (CRL) is supported.
WSSCACertificateFile
=========================================================================
Supported OS : Linux / Windows / Mac
Format : WSSCACertificateFile <file-path>
-------------------------------------------------------------------------
file-path
Default : none
Range of Values : path string of file system
=========================================================================
This option specifies a path of a file that includes CA certificates provided for validation of server certificates received on the WebSocket SSL/TLS communication. When this is not set, the WebSocket function will use the default CA certificates it detects.
--
Example :
WSSCACertificateFile /etc/hcp/cacert.pem
--
Certificates in PEM format, generated from OpenSSL tools ordinary, are supported.
OCSPRevocationEnabled
=========================================================================
Supported OS : Linux / Windows / Mac
Format : OCSPRevocationEnabled <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================
It sets OCSP (Online Certificate Status Protocol) for the server certificate identification. When “yes”, it is enable.
--
Example :
OCSPRevocationEnabled no
--
StrictHostKeyChecking
=========================================================================
Supported OS : Linux / Windows / Mac
Format : StrictHostKeyChecking <switch>
-------------------------------------------------------------------------
switch
Default : ask
Range of Values : ask, yes, no
=========================================================================
The policy to accept the server host is set here.
When “ask”, whether to accept unknown keys is confirmed.
When “yes”, it stops authenticating.
When “no”, continue authenticating without confirming.
--
Example :
StrictHostKeyChecking no
--
Various Monitoring, Timeout Control
TransportTimeout
Refer to the hcpd configurations.
Performance Evaluation
DiskBenchmarkPreAllocation
=========================================================================
Supported OS : Linux
Format : DiskBenchmarkPreAllocation <how-to-pre-alloc>
-------------------------------------------------------------------------
how-to-pre-alloc
Default : none
Range of Values : none, native, posix
=========================================================================
This option specifies how to make pre-allcation of sotrage in some disk writing benchmarks performed by the run-host-benchmark option.
‘none’ disables the pre-allocation on the benchmarks.
‘native’ indicates making the pre-allocation by the platform dependent function, e.g., fallocate function on Linux.
‘posix’ indicates making the pre-allocation by the POSIX function as the posix_fallocate function.
This option will be used when peforming benchmarks of Async I/O. Writing performance with the pre-allocation might be better than one without.
--
Example:
DiskBenchmarkPreAllocation native
--
DiskBenchmarkPreAllocationSize
=========================================================================
Supported OS : Linux
Format : DiskBenchmarkPreAllocationSize <pre-allocation-size>
-------------------------------------------------------------------------
pre-allocation-size
Default : 0
Range of Values : signed double-length integer
=========================================================================
This option specifies a unit size in bytes for the pre-allocation of sotrage described above.
When 0 or negative values are specified, the pre-allocation will be performed in a file size to write each benchmarks (one time allocation).
--
Example:
DiskBenchmarkPreAllocationSize 1GB
--
DiskBenchmarkDirectAlignmentSize
=========================================================================
Supported OS : Linux
Format : DiskBenchmarkDirectAlignmentSize <alignment-size>
-------------------------------------------------------------------------
alignment-size
Default : 0
Range of Values : unsigned double-length integer
=========================================================================
This option specified an alignment size in memory for writing and reading buffers used for some disk benchmarks with Direct I/O performed by the run-host-benchmark option.
Specification of 0 incidates to detect the size by querying to the system and use its result.
--
Example:
DiskBenchmarkDirectAlignmentSize 8KB
--
DiskBenchmarkAsyncNoWait (reserved)
DiskBenchmarkAsyncMaxEvents
=========================================================================
Supported OS : Linux
Format : DiskBenchmarkAsyncMaxEvents <num-max-events>
-------------------------------------------------------------------------
num-max-events
Default : 16
Range of Values : signed integer
=========================================================================
This option specifies a maximum number of events processed at once in some disk benchmarks with Asynchronous I/O performed by the run-host-benchmark option.
For example, when a result of writing performance is under an expected one with striped storages, the result might be improved increasing the maximum number.
--
Example:
DiskBenchmarkAsyncMaxEvents 32
--
DiskBenchmarkAsyncMaxGetEvents
=========================================================================
Supported OS : Linux
Format : DiskBenchmarkAsyncMaxGetEvents <num-max-get-events>
-------------------------------------------------------------------------
num-max-get-events
Default : 1
Range of Values : signed integer
=========================================================================
This option specified a maximum number of events to take its results at once in the benchmarks with Asynchronous I/O performed by the run-host-benchmark option.
It is used for observing changes of performance characteristics increasing the number of results being taken at once.
--
Example:
DiskBenchmarkAsyncMaxGetEvents 4
--
DiskBenchmarkAsyncRequestPoolSize
=========================================================================
Supported OS : Linux
Format : DiskBenchmarkAsyncRequestPoolSize <pool-size>
-------------------------------------------------------------------------
pool-size
Default : 32
Range of Values : unsigned integer
=========================================================================
This option specifies a size of a pool holding user buffers as I/O requests in some disk benchmarks with Asynchronous I/O performed by the run-host-benchmark option.
--
Example:
DiskBenchmarkAsyncRequestPoolSize 64
--
DeepDiskBenchmarkFileSize
=========================================================================
Supported OS : Linux
Format : DeepDiskBenchmarkFileSize <file-size>
-------------------------------------------------------------------------
file-size
Default : 16GB
Range of Values : signed double-length integer
=========================================================================
This option specifies a file size used in some additional disk benchmarks performed by the run-host-benchmark option.
--
Example:
DeepDiskBenchmarkFileSize 32GB
--
DeepDiskBenchmarkFreeSpaceRequired
=========================================================================
Supported OS : Linux
Format : DeepDiskBenchmarkFreeSpaceRequired <free-space-size>
-------------------------------------------------------------------------
free-space-size
Default : 32GB
Range of Values : unsigned double-length integer
=========================================================================
This option specifies a disk free space required in some additional disk benchmarks performed by the run-host-benchmark option.
--
Example:
DeepDiskBenchmarkFreeSpaceRequired 64GB
--
DeepDiskBenchmarkBlockSizes
=========================================================================
Supported OS : Linux
Format : DeepDiskBenchmarkBlockSizes <block-size-set-desc>
-------------------------------------------------------------------------
block-size-set-desc
Default : 16KB 32KB 64KB 128KB 256KB 512KB 1MB 2MB
Range of Values : a set of block sizes separated with white spaces
=========================================================================
This option specifies a set of block sizes used in some additional disk benchmarks performed by the run-host-benchmark option.
--
Example:
DeepDiskBenchmarkBlockSizes 64KB 256KB 512KB 1MB
--
Log Management
DiagnosticLog
=========================================================================
Supported OS : Linux / Windows / Mac
Format : DiagnosticLog <log-level>[ <flag-available>][ <log-rotation-conf>][ <log-path>]
-------------------------------------------------------------------------
log-level
Default : INFO
Range of Values : EMERG, ALERT, CRIT, ERR, WARNING, INFO, DEBUG
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
-------------------------------------------------------------------------
log-rotation-conf
Format : ( FileSize <file-size> <backups> | DatePattern <date-pattern> )
-------------------------------------------------------------------------
file-size
Default : none
Range of Values : signed double-length integer
-------------------------------------------------------------------------
backups
Default : none
Range of Values : unsigned integer
-------------------------------------------------------------------------
date-pattern
Default : none
Range of Values : yyyy-MM, yyyy-MM-dd, yyyy-MM-dd-HH, yyyy-MM-dd-HH-mm
-------------------------------------------------------------------------
log-path
Default : none
Range of Values : path string of file system
=========================================================================
The application diagnostic log settings. The log includes some details of errors for trouble shooting.
log-level specifies the log level.
With flag-available yes, the log is output.
log-rotation-conf specifies the log rotation. It works in the same way as the rotation behavior set in "SystemLog", although it doesn't rotate periodically.
log-path specifies the log path. When it is set with the command line parameter "-l" simultaneously, the command line parameter setting is applied.
--
Example1 :
DiagnosticLog WARNING FileSize 10MB 10
Example2 :
DiagnosticLog WARNING DatePattern yyyy-MM-dd
Example3 :
DiagnosticLog WARNING // the same as "DiagnosticLogLevel"
--
The old name of 'ApplicationLog' is available.
DiagnosticLogLevel
=========================================================================
Supported OS : Linux / Windows / Mac
Format : DiagnosticLogLevel <log-level>
-------------------------------------------------------------------------
log-level
Default : INFO
Range of Values : EMERG, ALERT, CRIT, ERR, WARNING, INFO, DEBUG
=========================================================================
The application diagnostic log level is set.
When it was set along with “DiagnosticLog”, only the log level is overwritten.
--
Example :
DiagnosticLogLevel WARNING
--
The old name of 'ApplicationLogLevel' is available.
ApplicationStatLog
=========================================================================
Supported OS : Linux / Windows / Mac
Format : ApplicationStatLog <flag-available>[ <log-rotation-conf>]
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
-------------------------------------------------------------------------
log-rotation-conf
Format : ( FileSize <file-size> <backups> | DatePattern <date-pattern> )
-------------------------------------------------------------------------
file-size
Default : none
Range of Values : signed double-length integer
-------------------------------------------------------------------------
backups
Default : none
Range of Values : unsigned integer
-------------------------------------------------------------------------
date-pattern
Default : none
Range of Values : yyyy-MM, yyyy-MM-dd, yyyy-MM-dd-HH, yyyy-MM-dd-HH-mm
=========================================================================
The configuration on the application statistics is set.
When “yes” in “flag-available”, the application statistics information is output.
log-rotation-conf specifies the log rotation. It works in the same way as the rotation behavior set in “ApplicationStatLog” on hcpd.
--
Example1 :
ApplicationStatLog no
Example2 :
ApplicationStatLog yes FileSize 10MB 10
Example3 :
ApplicationStatLog yes DatePattern yyyy-MM-dd
--
TransportStatLog
=========================================================================
Supported OS : Linux / Windows / Mac
Format : TransportStatLog <flag-available>[ <log-rotation-conf>]
-------------------------------------------------------------------------
flag-available
Default : no
Range of Values : yes, no
-------------------------------------------------------------------------
log-rotation-conf
Format : ( FileSize <file-size> <backups> | DatePattern <date-pattern> )
-------------------------------------------------------------------------
file-size
Default : none
Range of Values : signed double-length integer
-------------------------------------------------------------------------
backups
Default : none
Range of Values : unsigned integer
-------------------------------------------------------------------------
date-pattern
Default : none
Range of Values : yyyy-MM, yyyy-MM-dd, yyyy-MM-dd-HH, yyyy-MM-dd-HH-mm
=========================================================================
The configuration on the transport statistics is set.
When “yes” in flag-available, the transport statistics data is output.
log-rotation-conf specifies the rotation rule. It works in the same way as the rotation behavior set in “TransportStatLog” on hcpd.
Based on the paths specified in “FileSize” and “DatePattern” as each criterion, the rotations are carried out as below.
// FileSize cases
<specified path>.transport.tcp
<specified path>.transport.tcp.1
<specified path>.transport.tcp.2
...
<specified path>.transport.tcp.n
// DatePattern cases
<specified path>.transport.tcp
<specified path>.transport.tcp.2019-12-10
<specified path>.transport.tcp.2019-12-09
...
The header of the statistics information is not included in rotated files.
--
Example1 :
TransportStatLog yes
Example2 :
TransportStatLog yes FileSize 10MB 10
Example3 :
TransportStatLog yes DatePattern yyyy-MM-dd
--
ApplicationStatLogSecurityEx
=========================================================================
Supported OS : Linux / Windows / Mac
Format : ApplicationStatLogSecurityEx <flag-available>
-------------------------------------------------------------------------
flag-available
Default : yes
Range of Values : yes, no
=========================================================================
Whether to output detailed information on the security in the application statistics log is set.
--
Example :
ApplicationStatLogSecurityEx no
--
System Operating Environment Settings, CPU Thread Control
MaxConcurrentThread
=========================================================================
Supported OS : Linux
Format : MaxConcurrentThread <max-threads>
-------------------------------------------------------------------------
max-threads
Default : 0
Range of Values : signed integer
=========================================================================
The maximum number of threads is configured.